Overview

overview

8

Static

static

8

freebobux.exe

windows7_x64

8

freebobux.exe

windows10_x64

8

Resubmissions

25-06-2021 19:11

210625-5pemrnaw72 8

17-01-2021 18:28

210117-75pm951t9e 8

30-12-2020 13:22

201230-xn7db4f1zn 8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    freebobux.exe

  • Size

    779KB

  • MD5

    794b00893a1b95ade9379710821ac1a4

  • SHA1

    85c7b2c351700457e3d6a21032dfd971ccb9b09d

  • SHA256

    5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c

  • SHA512

    3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

Score
8/10
ransomware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 95 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 108 IoCs
  • Suspicious use of SendNotifyMessage 108 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\freebobux.exe
    "C:\Users\Admin\AppData\Local\Temp\freebobux.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\freebobux.bat""
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.exe
        clwcp c:\temp\bg.bmp
        3⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        PID:3928
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\x.vbs"
        3⤵
          PID:1456
    • C:\Windows\system32\sndvol.exe
      "C:\Windows\system32\sndvol.exe"
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2092
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1396

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.exe
      MD5

      e62ee6f1efc85cb36d62ab779db6e4ec

      SHA1

      da07ec94cf2cb2b430e15bd0c5084996a47ee649

      SHA256

      13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

      SHA512

      8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\CLWCP.exe
      MD5

      e62ee6f1efc85cb36d62ab779db6e4ec

      SHA1

      da07ec94cf2cb2b430e15bd0c5084996a47ee649

      SHA256

      13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

      SHA512

      8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\bg.bmp
      MD5

      2229bdea09783e544015db10917ea91c

      SHA1

      9d8fd01f98f6de2f2889bc441847f25146190660

      SHA256

      13ff1d9aee82f15e4df8621c0b68ca31844bea8a0a5e5b194dfeabac7a646521

      SHA512

      c1abd12398bf749fcc07de144ada40e23985cde634d7ba756f0199614ec4eec918c706f0d8af2f4fbec2539c256e638496e8c57cd18e2f5cbefe204d3770d089

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\freebobux.bat
      MD5

      202d76eb2952aeb2e241c13defe48045

      SHA1

      34e26a3407288c7ea63bd1cd305c27b06b163386

      SHA256

      9d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab

      SHA512

      6a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7BDD.tmp\x.vbs
      MD5

      ab30794d761af418b216eab48d003536

      SHA1

      edd4c2f1813c70cb8739b5c3b8efa425072a4911

      SHA256

      a6154ba12e45de717c0f6cef752c68897ac80438d1ad60750b258f1d35a39e25

      SHA512

      96214a59bd691d2210a758d1679e2db7e6b186c2f0b8bd9a4286ea3a8aeaa1f35632c6c078371bf474e7dffca9e23bd0d6cc4e9c0c114c883ab3374be81f291d

      Download Submit
    • memory/552-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1456-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3928-5-0x0000000000000000-mapping.dmp
      Download
    • memory/3928-8-0x0000000000640000-0x0000000000641000-memory.dmp
      Filesize

      4KB

      Download